9-Amaliy ish
Mavzu: Korxona va tashkilot axborot kommunikatsiya tizimlarida VPN tarmoq qurish.
Ishdan maqsad. Routerlarda site-to-site texnologiyasi asosida virtual himoyalangan tarmoq qurish ko`nikmalarini hosil qilish.
Qisqacha nazariy ma’lumot
VPN (Virtual Private Network - virtual xususiy tarmoq) -mantiqiy tarmoq bo‘lib, o‘zidan yuqoridagi boshqa tarmoq, masalan, Internet asosida quriladi. Bu tarmoqda kommunikatsiyalarda umumiy xavfsiz bo‘lmagan tarmoq protokollaridan foydalanilishiga qaramay, shifrlashdan foydalangan holda, axborot almashinishda bеgonalarga bеrk bo‘lgan kanallar tashkil qilinadi. VPN tashkilotning bir nеcha ofislarini ular o‘rtasida nazorat qilinmaydigan kanallardan foydalangan holda yagona tarmoqqa birlashtirish imkonini bеradi.
O‘z navbatida, VPN alohida tarmoq xususiyatlarini qamrab olgan, lеkin bu tarmoq umumiy foydalanish tarmog‘i, masalan, Intеrnеt orqali amalga oshiriladi. Tunnеllashtirish mеtodi yordamida ma’lumotlar pakеti umumiy foydalanish tarmog‘i orqali xuddi oddiy ikki nuqtali bog‘lanishdagi kabi translyatsiya qilinadi. Har qaysi «ma’lumot jo‘natuvchi-qabul qiluvchi» juftligi o‘rtasida ma’lumotlarni bir protokoldan ikkinchi protokolga inkapsulyatsiya qilish imkonini bеruvchi o‘ziga xos tunnеl — xavfsiz mantiqiy bog‘lanish o‘rnatiladi.
9.1-rasm. Virtual himoyalangan tarmoq strukturasi
Ishni bajarish tartibi
Cisco packet tracer dasturi ishga tushiriladi.
Quyida keltirilgan topologiya quriladi.
Qurilgan topologiya testlab ko`riladi.
9.2-rasm. Tadqiq qilinayotgan tarmoq topologiyasi
ROUTER_1 ga kiritiladigan buyruqlar ketma-ketligi.
Router>enable
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
Router(config)#int fa 0/0
Router(config-if)#no sh
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
Router(config-if)#ip nat inside
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#exi
Router(config)#int fa 0/1
Router(config-if)#no sh
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Router(config-if)#ip address 1.1.1.1 255.255.255.252
Router(config-if)#ip nat outside
Router(config-if)#exi
Router(config)#ip access-list extended for-nat
Router(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 any
Router(config-ext-nacl)#exi
Router(config)#ip nat inside source list for-nat int fa 0/1 overload
Router(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.2
Router(config)#ip dhcp pool vl2
Router(dhcp-config)#network 192.168.2.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.2.1
Router(dhcp-config)#dns-server 8.8.8.8
Router(dhcp-config)#exi
Router(config)#crypto isakmp policy 1
Router(config-isakmp)#encryption aes
Router(config-isakmp)#hash md5
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#group 2
Router(config-isakmp)#crypto isakmp key 123 address 2.2.2.1
Router(config)#crypto ipsec transform-set ts esp-aes esp-md5-hmac
Router(config)#ip access-list extended for-vpn
Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
Router(config-ext-nacl)#exi
Router(config)#crypto map kriptokarta 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(config-crypto-map)#match address for-vpn
Router(config-crypto-map)#set peer 2.2.2.1
Router(config-crypto-map)#set transform-set ts
Router(config-crypto-map)#exi
Router(config)#int
Router(config)#interface fa 0/1
Router(config-if)#
Router(config-if)#crypto map kriptokarta
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Router(config-if)#exi
Router(config)#do wr
Building configuration...
[OK]
Router(config)#
Router(config)#
Router(config)#ho
Router(config)#hostname doston-jumayev-r1
doston-jumayev-r1(config)#
doston-jumayev-r1(config)#
ROUTER_2 kiritiladigan buyruqlar ketma-ketligi.
Router>
Router>ena
Router>enable
Router#
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int
Router(config)#interface fa 0/0
Router(config-if)#
Router(config-if)#no sh
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#ip nat inside
Router(config-if)#ip address 192.168.3.1 255.255.255.0
Router(config-if)#exit
Router(config)#int fa 0/1
Router(config-if)#no shut
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
Router(config-if)#ip address 2.2.2.1 255.255.255.0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#ip access-list extended for-nat
Router(config-ext-nacl)#deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
Router(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 any
Router(config-ext-nacl)#exit
Router(config)#ip nat inside source list for-nat int fa 0/1 overload
Router(config)#ip route 0.0.0.0 0.0.0.0 2.2.2.2
Router(config)#ip dhcp pool vl3
Router(dhcp-config)#network 192.168.3.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.3.1
Router(dhcp-config)#dns-server 8.8.8.8
Router(dhcp-config)#exit
Router(config)#crypto isakmp policy 1
Router(config-isakmp)#encryption aes
Router(config-isakmp)#hash md5
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#group 2
Router(config-isakmp)#exit
Router(config)#crypto isakmp key 123 address 1.1.1.1
Router(config)#crypto ipsec transform-set ts esp-aes esp-md5-hmac
Router(config)#ip access-list extended for-vpn
Router(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
Router(config-ext-nacl)#exit
Router(config)#crypto map kriptokarta 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(config-crypto-map)#match address for-vpn
Router(config-crypto-map)#set peer 1.1.1.1
Router(config-crypto-map)#set transform-set ts
Router(config-crypto-map)#exit
Router(config)#int fa 0/1
Router(config-if)#crypto map kriptokarta
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Router(config-if)#exi
Router(config)#
Router(config)#do wr
Building configuration...
[OK]
Router(config)#
Router(config)#
Router(config)#ho
Router(config)#hostname doston-jumayev-r2
doston-jumayev-r2(config)#
ROUTER_3 ga kiritiladigan buyruqlar ketma-ketligi:
Router>
Router>ena
Router>enable
Router#
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
Router(config)#int fa 0/0
Router(config-if)#no sh
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#ip address 1.1.1.2 255.255.255.252
Router(config-if)#int fa 0/1
Router(config-if)#no sh
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Router(config-if)#ip address 2.2.2.2 255.255.255.0
Router(config-if)#exi
Router(config)#
Router(config)#ho
Router(config)#hostname doston-jumayev-asosiy
doston-jumayev-asosiy(config)#
9.3-rasm. ROUTER_1 ni sozlanmasi.
Bajarilgan laboratoriya ishi testlab ko`riladi, ya`ni PC0 dan PC2 icmp protokoli orqali aloqa tekshirib ko`riladi.
9.4-rasm. PC0 va PC2 kompyuterlarning manzillari
9.5-rasm. Topologiyani testlash natijalari
VPN kanal orqali yuborilgan ma`lumotlar statistikasini ko`rish uchun quyidagi buyruq kiritiladi:
|